SSL Server Has SSLv2 Enabled Vulnerability (1638 Views)
Reply
Occasional Visitor
Dave K.
Posts: 2
Registered: ‎08-12-2005
Message 1 of 6 (1,638 Views)

SSL Server Has SSLv2 Enabled Vulnerability

[ Edited ]

SSL Server Has SSLv2 Enabled Vulnerability port 2381/tcp over SSL

Is the a way to mitigate this by going to SSLv3? I assume this is referring to Systems Manager.

Thanks

 

 

P.S. This thread has been moved from ITRC server mgmt (Insight Manager 7) Forum to ITRC HP Systems Insight Manager Forum - HP Forums Moderator

Honored Contributor
Rich Purvis
Posts: 470
Registered: ‎05-11-2004
Message 2 of 6 (1,638 Views)

Re: SSL Server Has SSLv2 Enabled Vulnerability

The software on port 2381 supports both SSLv2 and SSLv3.

-Rich
Why does my tivo keep recording Nickelodeon?
Occasional Visitor
Dave K.
Posts: 2
Registered: ‎08-12-2005
Message 3 of 6 (1,638 Views)

Re: SSL Server Has SSLv2 Enabled Vulnerability

How do you disable v2 so that only v3 is enabled?
Occasional Visitor
Josef Roth_2
Posts: 2
Registered: ‎06-21-2005
Message 4 of 6 (1,638 Views)

Re: SSL Server Has SSLv2 Enabled Vulnerability

I have the following security vulnerabilities on several hundred proliant servers.

- SSL Server Supports Weak Encryption
- SSL Server Uses Weak Encryption
- SSL Server Has SSLv2 Enabled
- SSL Certificate - Signature Verification Failed
- SSL Certificate - Self-Signed Certificate
- SSL Certificate - Subject Common Name Does Not Match Server FQDN

All of them are caused by the HP System Management Homepage (v2.0.1.104) which listens on SSL port 2381. Is there a way to enable SSLv3 and turn-off SSLv2 and also restrict access to strong encryption only?

I got stuck and it seams it is not possible to disable v2. My attempts to change the config file "C:\hp\hpsmh\conf\smhpd.confâ was without success. The file gets dumped when the SysMgmtHP service starts up. Therefore, I assume configuration settings are hard coded somewhere.

A look at the SSLCipherSuite entry shows that v2 is enabled.
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:-LOW:+eNULL

This should be changed to:
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:-SSLv2:+SSLv3:+EXP:-LOW:+eNULL

Thanks
Occasional Visitor
ekonop
Posts: 1
Registered: ‎12-04-2006
Message 5 of 6 (1,638 Views)

Re: SSL Server Has SSLv2 Enabled Vulnerability

I get the same SSLv2 Enabled Vulnerability. How can this be mitigated? This is in reference to the HP System Management Homepage. When I disable this service the SSLv2 vulnerability is removed, the only problem is that we use the system management homepage. Thanks
Honored Contributor
Rich Purvis
Posts: 470
Registered: ‎05-11-2004
Message 6 of 6 (1,638 Views)

Re: SSL Server Has SSLv2 Enabled Vulnerability

Latest versions of System Mangement Homepage have SSL V2 disabled by default. I would suggest you upgrade to the latest version.

-Rich
Why does my tivo keep recording Nickelodeon?
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.